GDPR compliance
-
Is anyone dealing with this?
I have done quick preliminary analysis and the result is that I would need to have ability to set log retention period for captive portal logs. -
There's nothing to deal with.
Set up a syslog server and store the data there.
-
There's nothing to deal with.
Set up a syslog server and store the data there.
But data (logs) remains also inside pfSense because remote syslogging means take a log and copy it to remote machine.
-
But data (logs) remains also inside pfSense because remote syslogging means take a log and copy it to remote machine.
Have a look at these logs first ;)
Btw : pfSense uses circular logs that have a fixed size. This means that ones they are full, old information is overwritten. Which implies that old information will be is destroyed in a nearby future. They are auto-cleaning !
As long as you, as an an admin, are not logging all kind of information like user traffic with the help of packages like, for example, squid , you have nothing to do with this "private act".
IP addresses, and even MAC addresses, are not considered as "private info" **.
And even if you do, thing about destroying the info - and never use the info. Doing so, and you'll be fine for more then 99 %.
Facebook and Google will take care of the latter 1 % soon.GDPR compliance, or not, it's true that many countries ask to log (local - so worth-less) IP addresses and MAC addresses when you offer an Internet access (with the help of the captive portal).
** and if they were, well, the guy who pretends so should not be using the "Internet" anymore as a public communication channel.
-
IP addresses are regarded as PII under GDPR, see ECJ ruling. Explanation here:
https://www.enterprisetimes.co.uk/2016/10/20/ecj-rules-ip-address-is-pii/
You'll need to have a "right to be forgotten" process for that log data plus you probably will have to declare the logs existence in your data policies.
-
So you're probably aware of the following but it does cover what i understand to be the most relevant aspects of GDPR in relation to a pfSense device.
https://www.firewallhardware.it/en/gdpr-pfsense-opnsense/
You'll know what you are using the device for, so some aspects will affect you more than others.
